With the arrival of digital technology and communications networks, the distribution of audiovisual contents can take place in multiple forms and in novel distribution contexts that used not to exist.
The massive distribution of such contents raises the problem of protecting those contents: although they are now easy to distribute, they are also relatively easy to copy, rapidly and massively.
In order to protect such contents, the technical utilization of cryptography has become widespread with some degree of success. An application of cryptography lies in making transactions between two or more entities secure, by applying a cryptographic task. Such cryptographic tasks include encrypting messages, electronic signatures, or indeed authenticating messages. One encryption method consists essentially in encrypting a message so that only a legitimate destination can decrypt it using software and cryptographic equipment that the user has obtained legally.
The problem with such an encryption technique is that the legitimate user possessing the decryption software may attempt to understand how the software works by performing various so-called “reverse engineering” operations.
Such reverse engineering operations seek to identify the algorithms used in the software, or indeed to recover the keys or the cryptographic secrets that are distributed to the legitimate user and that are used by the decryption software.
Identifying the algorithms and recovering the massively-distributed keys or cryptographic secrets for the purpose of obtaining the cryptographic methods used for encryption thus destroys the efforts made at achieving protection.
In order to combat this reverse-engineering threat to cryptographic algorithms incorporated in consumer software for rendering multimedia contents, proposals have been made for a new cryptographic attack model known as a “white box attack” and for a strategy for protecting the model in the article “A white-box DES implementation for DRM applications” by Chow et al. The cryptographic algorithms described in that article are constituted by affine applications and by non-linear applications using a very small number of variables in the form of stored tables. It thus becomes much more difficult to identify the cryptographic algorithm used, and it is possible to hide certain steps and/or values during the execution of the decryption algorithm.
In particular, variables that pass between the various tables and that are observable to a user, which variables correspond to transition variables between the various individual operations of the cryptographic algorithm for decryption, are themselves coded by a secret coding function. Thus, since the values that can be observed are not directly the values that are used for the individual cryptographic operations, but coded versions of them, reverse engineering is made more difficult.
Nevertheless, cryptanalysts have succeeded in overcoming that protection strategy, as set out in the article “Cryptanalysis of a white box AES implementation” by Billet et al. It has thus been shown that that strategy does not satisfy the intended security objectives, in particular because the protection of the transition variables that are observable by an attacker is not sufficient.